cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
911
Views
0
Helpful
12
Replies

Remote LAN access after VPN connection is made

ipetrov
Level 1
Level 1

Using a 2811 ona router with 3 serial interfaces. I configured VPN on interface 0/2/0. The vpn pool is on subnet 172.16.5.0/24. All my servers are on 172.16.1.0/24. If Itry to connect internally between the 2 subnets it works fine. However when I try from a remote location using Cisco VPN client I am unable to get to anything after the VPN connection is established

12 Replies 12

Ivan Martinon
Level 7
Level 7

Can you post your configuration? Do you have the proper no nat statements in place?

I attached the config file. I am doing VPN on s0/2/0

I see 2 things that must be changed on your config.

First, you are using a pool that falls within the LAN range, 172.16.5.0/25 (Fa0/0) being a class C /24 subnet covers the pool range and it thinks it has that ip range directly connected via that interface, I would use a different range instead.

Second, you are missing the No Nat statements bypassing the return vpn traffic from being NATed.

Once you have defined a different range for the pool go ahead and make the needed nat changes that should look like this:

ip access-list ext nonat

deny ip 172.16.1.0 0.0.0.255

deny ip 172.16.5.0 0.0.0.255

permit ip 172.16.1.0 0.0.0.255 any

permit ip 172.16.2.0 0.0.0.255 any

permit ip 172.16.3.0 0.0.0.255 any

permit ip 172.16.4.0 0.0.0.255 any

ip nat inside source list nonat pool capturet overload

You would need to figure out your nats the way you need them, however the nat bypass is required for vpn traffic

I configured the NAT pool range on 172.16.6.0/24 and created the access list as shown above. = <172.16.6.0 0.0.0.255>

However after I connect VPN my IP config for the VPN client interface is:

IP address..............172.16.6.40

Subnet Mask.............255.255.0.0

Gateway.................172.16.0.1

DNS.....................172.16.1.7

What went wrong?

Sorry I don't follow, to what did you make the change? can you post your updated config?

I changed the VPN pool to be on 172.16.6.0/24 (range 172.16.6.40 to 172.16.6.199) and added the entries that you recommended.

OK, thanks, you left those lines there:

ip nat inside source list 12 pool capturet overload

ip nat inside source list 13 pool capturevpn overload

These are overriding the nat you define after.

I will remove these later on. What are the implications if I remove these lines. Do I have to reconfigure the way I do the NAT?

when using vpn yes, you have to reconfigure the way you use nat, as I explained at earlier, vpn clients need to bypass nat, with the standard setup you have you will always nat the reply back from the internal and this is not what you need, at least not for the vpn, implications well you will need to refresh your nat tables (clear then) to be able to remove those, but since you have another nat rule that covers the same set of networks/nat rules it should not cause any major downtime.

Thank you I will try it later and see how it works.

I tried it with the same results. I can connect VPN. after I connect I get the following configuration on from the ipconfig/all

IP address.........172.16.1.40

Sunet Mask.........255.255.0.0

Gateway............172.16.0.1

DNS................172.16.1.7

I attached the new configuration

So you get connected, you get an ip address and what are you trying to do after you connect?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: